Data transfers can be suspended until investigation is complete.

In Maximillian Schrems v. Data Protection Commissioner (case C-362/14), the Advocate General ruled that EU data protection authorities do have powers to investigate complaints about the transfer of personal data to the United States by Safe Harbor-certified organisations and can, where justified, suspend data transfers until their investigations are complete.

Safe Harbor Programme

According to the European Commission, the United States is a country of “inadequate” data protection. The European Commission and the US Department of Commerce, therefore, agreed in the year 2000 to a self-certification programme for US organisations to receive personal data sent from Europe. The self-certification programme provided that US organisations must certify that they adhered to standards of data processing that are comparable with EU data protection laws such that EU citizens’ personal data was treated as adequately as if their data had remained within Europe. This Safe Harbor programme is operated by the US Department of Commerce and enforced by the Federal Trade Commission. Over 4,000 organisations have current self-certifications of adherence to Safe Harbor principles.

In the course of Irish litigation, a question was referred to the ECJ for a ruling on whether EU Data Protection Authorities can investigate data transfers to organisations with Safe Harbor certification. Yves Bot, Advocate General at the European Court of Justice (ECJ), said in his opinion released on 23 September 2015 that the Safe Harbor programme does not currently do enough to protect EU citizens’ private data because personal data had been obtained by US authorities in the course of “mass and indiscriminate surveillance and interception of such data” from Safe Harbor-certified organisations. The Irish Data Protection Commissioner, therefore, had the power to investigate complaints about Safe Harbor-certified organisations and, if there are “exceptional circumstances in which the suspension of specific data flows should be justified”, to suspend the data transfers pending the outcome of its investigation.

Key Findings from the Advocate General’s Opinion:

“Th[e] findings of fact demonstrate, in my view, that Decision 2000/520 does not contain sufficient guarantees. Owing to that lack of guarantees, Decision 2000/520 has been implemented in a manner that does not satisfy the requirements of the Charter or of Directive 95/46.”

“There is no independent authority capable of verifying that the implementation of the derogations from the safe harbor principles is limited to what is strictly necessary.”

“The [EU] Commission ought to have suspended the application of Decision 2000/520.”

“Although it was aware of shortcomings in the application of Decision 2000/520, the Commission neither suspended nor adapted that decision, thus entailing the continuation of the breach of the fundamental rights of the persons whose personal data was and continues to be transferred under the safe harbor scheme.”

“I am therefore of the view that Decision 2000/520 must be declared invalid.”

While the Advocate General’s opinions are not binding, they are often followed by the ECJ. The decision of the ECJ is expected soon.

Recommendations to Improve the Safe Harbor Programme

In 2013, following much discussion in the EU about the Safe Harbor programme after Edward Snowden’s revelations about the NSA’s PRISM programme, thirteen recommendations were made to improve the Safe Harbor programme.

The key recommendations are as follows:

Self-certified companies should publicly disclose their privacy policies
Privacy policies on self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website
Self-certified companies should publish privacy conditions of any contracts they have with subcontractors (e.g., cloud computing services)
The Department of Commerce should indicate which companies are no longer current members of the programme
The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider
The Department of Commerce should monitor ADR providers more systematically
The Federal Trade Commission should enforce misuse of the safe harbor certification more rigorously and conduct general investigations into certified organisations’ compliance with their privacy policies
Privacy policies should note when an organisation will apply national security or law enforcement exemptions to allow data to be shared with US authorities

A final decision on whether these recommendations will be implemented is still awaited from the EU.

Summary

Notwithstanding the debate over the last two years, many organisations still view the Safe Harbor programme as an appropriate standard in data protection for non-European businesses and consider the Safe Harbor-certification as being a mark of trust in their data protection processes. Organisations that transfer personal data from Europe to the United States using the Safe Harbor programme may be concerned about the potential disruption to international data flows if the ECJ follows the Advocate General’s opinion and the organisation is subsequently investigated by a European data protection authority. One important issue that the ECJ must address is whether the European Commission and/or EU Data Protection Authorities are authorised to “suspend” Safe Harbor-certified data transfers. The European Commission is considering the above-mentioned recommendations to improve data protection measures under Safe Harbor. The ECJ should, therefore, be mindful not to create a patchwork of some (perhaps stricter) EU Data Protection Authorities suspending data transfers by certain organisations, while other Data Protection Authorities have no such objections about these same organisations. Under the proposed new General Data Protection Regulation, there will be a consistency mechanism that is designed to avoid such a situation.

It is also worth noting that nothing about this decision invalidates Safe Harbor as a mechanism to transfer data. It merely provides that a data protection authority investigating a specific organisation could, upon finding “exceptional circumstances”,suspend that organisation’s ability to transfer data under Safe Harbor pending investigation. If organisations remain in full compliance with their Safe Harbor obligations, they should have no reason to fear suspension of data flows.

Before blocking the data flows or “suspending” Safe Harbor, the European Commission and the Data Protection Authorities should bear in mind that the US Government has made strides to block illegal data collections by law enforcement authorities (e.g., by the USA Freedom Act of 2015 or the Presidential Policy Directive 28). The Federal Trade Commission has also imposed penalties on various companies that were deemed not Safe Harbor-complaint by way of consent decrees.

For organisations with concerns that their Safe Harbor certification may be undermined by this ruling, there are other options to transfer personal data to the United States, including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements.

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international employee misconduct investigations and has been appointed as a Compliance Monitor for a transnational organization.

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.